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Abstract 



Let Gi be a cyclic multiplicative group of order n. It is known that the DifRe-Hellman problem 
is random self-reducible in Gi with respect to a fixed generator g if 4>(n) is known. That is, given 
g,g x £ Gi and having oracle access to a 'Diffie-Hellman Problem' solver with fixed generator g, it is 
possible to compute g 1 ^ 6 Gi in polynomial time (see theorem I3.2|l . On the other hand, it is not 
known if such a reduction exists when (j>(n) is unknown (see coni uncture 13 . 11 . We exploit this "gap" 
to construct a cryptosystem based on hidden order groups and present a practical implementation of a 
novel cryptographic primitive called an Oracle Strong Associative One-Way Function (O-SAOWF). 
O-SAOWFs have applications in multiparty protocols. We demonstrate this by presenting a key 
agreement protocol for dynamic ad-hoc groups. 



■ 1 Introduction 

m ' 

The problem of efficient key agreement in ad-hoc groups is a challenging problem, primarily because 
membership in such groups does not follow any specified pattern. We envisage an ad-hoc group as a 
broadcast group where members do not have one-to-one channels; rather they share the communication 
medium such that everyone within range is able to receive any broadcast message. An efficient group key 
agreement protocol in this scenario should satisfy the property that the shared group key is computable 
without interaction with the other members. Such protocols are often called one-round key agreement 
protocols where the only round consists of the initial key distribution phase. Two notable examples of 
one-round key agreement protocols are the classic two-party Diffie-Hellman key exchange pQ and the Joux 
tripartite key exchange using bilinear maps [2J- However, till date constructing a generalized one-round 
n-party key agreement protocol has remained a challenging and open problem, fn this paper, we present 
the first practical example of a one-round key agreement protocol for arbitrary size groups. Although 
our construction enables the group key to be computed non-interactively, it comes with a caveat; a third 
party is required to do most of the computation. 

We refer the reader to 00 for a survey of key agreement protocols for ad-hoc groups. In the literature, 
most group key agreement protocols are classified in three categories (a) Centralized, (b) Distributed and 
(c) Fully Contributory. Our proposed method is fully contributory, yet it uses a central authority. We 
elaborate on this below. 

The original two-party Diffie-Hellman key exchange can be extended to fully contributory multi- 
party key exchange as demonstrated in using the Group Diffie-Hellman (GDH) protocol. However, all 
protocols based on GDH require many rounds of sequential messages to be exchanged between members. 

Centralized protocols, on the other hand have their own disadvantages; the central controller needs to 
maintain a large amount of state information for the groups it is managing. Our approach is to combine 
the two methods and design an efficient one-round key agreement protocol where the central controller 
does not maintain any state information. 
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Our protocol uses a central authority in computing the shared group key. However, the central 
authority is not responsible for key distribution and is only used as an "oracle" (i.e. a computing device) 
with public access. Users do not require secure channels in communicating with this oracle. Additionally, 
we provide a method to verify that the oracle is performing correctly. In our protocol, this oracle has 
some trapdoor information that can be efficiently used to compute partial public keys that are sent to 
users over an insecure public channel. Thus, our protocol can be directly converted into a de-centralized 
(or distributed) one simply by sharing this trapdoor information between a number of trusted authorities 
and allowing multiple "copies" of this oracle to function simultaneously. In effect, we present an entirely 
new model for secure group communication (see figure 
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In our model, secure group communication is facilitated by the Oracle. Assuming that public 
keys are known in advance, users can use this Oracle to compute a shared secret key indepen- 
dently of the other users such that no (active or passive) adversary has the ability to compute 
this key. Essentially the oracle is used as a "verifiable computing device" and the adversary as 
the communication medium. 

Figure 1: Secure group communication in our model. 

Our basic idea arises due to the paper of Rabi and Sherman , where they described a cryptographic 
primitive called a Strong Associative One- Way Function (SAOWF), and discussed as an application a 
one-round key agreement protocol in ad-hoc groups. In related work, Boneh and Silverberg also proposed 
a one-round key agreement protocol for ad-hoc groups based on a similar primitive called a multilinear 
map [J]. However, as of now no practical construction of either primitive is known. In this paper we 
extend the work of Rabi and Sherman and give a practical construction of a SAOWF under a restricted 
model of computation, namely black-box computation. 

This paper is organized as follows. In section [21 we give some background and notation. We define 
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SAOWFs in section |2~D and extend this definition to include black-box computation in section [O] Our 
construction is presented in section 0] and some applications are given in section Finally, we discuss 
implementation issues in sectional 

2 Preliminaries 

Around 1984, Rivest and Sherman suggested the idea of one-round key agreement in ad-hoc groups using 
a class of cryptographic primitives that they called Associative One-Way Functions (AOWFs) |H1 El- 
Later in 1993, Rabi and Sherman suggested the use of AOWFs in digital signatures ^H]- In subsequent 
work, Rabi and Sherman [5] gave an existence proof of complexity theoretic AOWFs under the P ^ NP 
hypothesis. Other authors studied complexity theoretic AOWFs with respect to different properties 
such as low ambiguity, strong invertibility, totality and commutativity ^2 H3| . Finally, in |14|. 
Hemaspaandra, Rothe and Saxena gave a complete characterization of complexity theoretic AOWFs. 

In all the above works, however, the AOWFs considered are complexity theoretic, that is, they exhibit 
useful characteristics only in the worst case and not in the average case. Such constructions do not 
have much practical significance in the context of cryptography. In this work we focus on cryptographic 
AOWFs - that exhibit useful characteristics even in the average case. Additionally, we study only a small 
family of AOWFs, namely those that are commutative, total and strongly non-invertible. We call this 
the class of Strong Associative One-Way Functions (SAOWFs). 

2.1 Strong Associative One- Way Functions 

Let (G, *) be a finite abelian group. The mapping 

/:GxG i > G 
(A, B) i > A*B 

has the following four properties (we use the notation f(A,B) and A*B interchangeably): 
PI. Associativity: f(f(A, B), C) = f(A, f(B, C)) VA, B, C G G. 
P2. Commutativity: f(A, B) = f(B, A) VA, B G G. 

P3. Identity: There exists a unique element / G G such that f(A, I) = A MA G G. We say / is the 
identity element. Denote by G* the set G\{/}. 

P4. Inverses: For each A G G*, there exists a unique B G G* such that f(A, B) = I. We say B is the 
inverse of A and denote it by A^ 1 . 

The above properties come for "free" in any abelian group. We now additionally want to enforce the 
following three properties on (G, *): 

P5. Samplability: Elements of G must be efficiently samplable. 

P6. Computability: For all A,Be&, f(A,B) must be efficiently computable. 

P7. Strong Non-Invertibility: Let A,B ^ G* and C <- f(A,B) G G. Given A, C, computing 
B = f(C, A^ 1 ) must be infeasible in the average case. 

Definition 2.1. We say that f is a Strong Associative One- Way Function (SAOWF) if properties P1-P7 
are satisfied. 1 

1 Most researchers differentiate between commutative and non-commutative SAOWFs 1141 . For simplicity, we will enforce 
the commutativity property (P2) in our definition. 
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Remark 2.2. A SAOWF as defined above is analogous to a Group with Infeasible Inversion (Gil) defined 
in P3]. 

Although SAOWFs have many applications as demonstrated in jH] 1151 116| . exhibiting a practical 
construction of a SAOWF is still an open problem. We make a positive progress in this direction by 
presenting a practical black-box construction of a SAOWF. 

We note that it is possible to construct a SAOWF / under the P ^ NP hypothesis if we replace 
"average case" by "worst case" in the statement of property P7 ^3 E|. However, for applications 
significant to cryptography we require property P7 to be defined in the average case. For completeness, 
we also define weak non-invertibility as follows. 

P8. Weak Non-Invertibility: Let C <^ G*. Given C, computing any pair (A, B) 6 G* 2 such that 
C = f(A, B) must be infeasible in the average case. 

Definition 2.3. We say that f is a Weak Associative One- Way Function (WAOWF) if properties P1-P6 
and P8 are satisfied. 

The strong non-invertibility condition (P7) requires that for any C <— image(f), inverting / with 
respect to a given preimage A must be infeasible in the average case. However, this condition does not 
say anything about weak non-invertibility (P8), which requires that computing any preimage of C must 
be infeasible. In fact, the results of 17 prove that there exists an associative one-way function that is 
strongly non-invertible but not weakly non-invertible. 2 

Thus, a WAOWF may not be a SAOWF and vice-versa. In this work, we do not enforce the weak 
non-invertibility requirement. Rather, we allow the function to be weakly invertible. It turns out that 
our construction of a SAOWF is strongly non-invertible, yet it is weakly invertible. 

Clearly, property P7 implies that computing inverses in G must be infeasible. Since the group (G, ★) 
is of finite order, the only way to achieve this is to keep the order of this group hidden. This is the main 
idea behind our construction. 

2.2 Black-Box Constructions 

Although the original objective of our research was to exhibit a practical construction of a SAOWF, in this 
work, we focus on a slightly different but related problem: exhibiting a practical black-box construction 
of a SAOWF by extending the definition of "computation" in property P6 to include oracle computation. 

In our black-box model although the group (G, *) is easily samplable, we we do not have access to the 
algorithm for computing /. Instead, access to the computing algorithm is only provided via a "black-box" 
with public access. This is illustrated in figure El 

However, for a black-box construction to have any practical significance it must support (a) verifiable 
and (b) private computation as elaborated next. 

2.3 PV-Oracles 

In complexity theory, a black-box with public access is referred to as an oracle. In this work, we restrict 
ourselves to constructible oracles (i.e. oracles that can be constructed using some trapdoor), since we 
want our system to be practical. Additionally, to justify the use of a (constructible) oracle as one-way 
function in a cryptographic protocol, we must provide the same guarantees that a real function provides. 
Specifically, a real function is private and verifiable. We define similar properties for oracles. We will 
restrict ourselves to an oracle that computes a binary commutative function using two inputs. 

2 We note that the terminology used in this paper is slightly non-standard (but more intuitive). For instance, "weak 
non-invertibility" as defined here is simply referred to as "non-invertibility" in the literature |17| . Additionally, "weak" in 
the literature is used to refer to non-total functions 1131 . However, since we are working in finite abelian groups, we can 
dispense off with definitions such as honesty, non-commutativity and totality used in I1.'{III4| for describing SAOWFs. 
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/» Algorithm for f(A, B) «/ 
int computeCint A, int B) { 

return(result);} 



PRIVATE 
VERIFIABLE 

' 'CO ivi p u t At i On ' 



(a) A real computable function 





Blackbox 
computing 
/(A, B) 











f(A, B) 



PUBLIC 
UN VERIFIABLE 
COMPUTATION' 
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Figure 2: Comparing a real and black-box computation. 



Verifiable Oracles. Let / be the binary commutative function computed by an oracle. We say that 
the oracle supports verifiable computation if for all A, B 6 domain(f) and all C 6 image(f), there 
exists a PPT verification algorithm Verify that outputs 1 if C = f(A, B) and otherwise. An oracle 
supporting verifiable computation is called a Verifiable Oracle (V- Oracle). A V-Oracle is illustrated 
in figure 3 
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Figure 3: Public, Verifiable Black-box computation (V-Oracle). 



Private And Verifiable Oracles. Let / be the binary commutative function computed by a V-Oracle. 
We say that the V-Oracle supports private computation if the inputs and outputs of the compu- 
tation can be blinded from the V-Oracle such that the blinding algorithm provides information 
theoretic secrecy. Formally, there must exist two PPT algorithms Blind and Unblind as follows. 

3 As an example of a V-Oracle with one input, consider an existentially unforgeable signature scheme. The signing oracle 
is a V-Oracle since the signature can obviously be verified. 
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Blind is a randomized algorithm and takes as input an element A S domain(f) and outputs a 
tuple (A', a), where A' G domain(f) and the distributions {A} and {^4'} are independent and 
identical. We say that Blind is the Blinding Algorithm and a is the Unblinding Value. 

Unblind takes as input a tuple (C, er), where C £ image(f). It outputs a value C S image(f) such 
that the following homomorphic property holds (We call Unblind the Unblinding Algorithm) . 



Pr 



A,B 

(A', a) 
C 
C 



R 
R 



domain(f); 
Blind(A); 

Unb\\nd(f(A',B),a) 
f(A,B) 



= 1 



(1) 



We call a V-Oracle supporting a private computation a Private V-Oracle (PV-Oracle). See figure^] 
for an illustration of a PV-Oracle. 









Blinding 

















Blackbox 
computing 
f{A' ,B') 











-f(A',B' 





Verifying 




) — > 





J 



-f(A',B 



PUBLIC 
VERIFIABLE 
XOMPTTTATION" 



Unblindii: 



PRIVATE 
VERIFIABLE 
COMPUTATION 



Figure 4: Private and Verifiable Black-box computation (PV-Oracle). 



2.4 Oracle SAOWFs (O-SAOWFs) 

We now extend the definition of computation in property P6 of section 12.11 to include computation by 
PV-Oracles. We call such a construction an Oracle-SAOWF (O-SAOWF) and formally define it below. 

Definition 2.4. A black-box construction of a SAOWF implemented using a PV-Oracle is called an 
Oracle-SAOWF (O-SAOWF). An O-SAOWF construction has four PPT "algorithms" as described below 
(we use quotes here because one of the algorithms PV-Compute is not a real algorithm in the usual sense; 
it involves a call to a PV-Oracle). 



Setup This is a randomized algorithm and takes in as input a security parameter r. It outputs the 
system parameters params for the group (G,*) and a master key master-key. 

Sample This is a randomized algorithm and takes in the parameter params. It outputs a uniformly 

R 

selected clement A <— G- along with some auxiliary information a a, which we will call the sampling 
information in our construction. 

4 As an example of a PV-Oracle with one input, consider a RSA decryption oracle w.r.t. a given RSA public key. 
Information theoretic privacy for inputs to the decryption oracle can be achieved using Chaum's blinding technique 1191 . 
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Compute This algorithm takes as input the parameter params, the master key master-key and two values 
A, B. If (A, B) ^ G 2 , it sets C <— I (recall that / is the identity element). On the other hand, if 
(A, B) G G 2 it computes C <— f(A, B) = A* B. The output is C E G. We assume that master-key 
acts like a trapdoor that enables computation of /. 

Define a PV-Oracle O having access to master-key and implementing the compute algorithm. We assume 
that master-key is not known to anybody else. The fourth algorithm involves a call to this oracle. 

PV-Compute This algorithm takes as input the parameter params and two elements A, B € G. It 
uses the Verify, Blind and Unblind algorithms defined in section as sub-routines to compute 
C «— f(A,B) = A-kB privately and verifiably by querying the PV-Oracle O that implements the 
Compute procedure. It outputs C 6 G. 

2.4.1 Security Of O-SAOWFs 

Assume that the PV-Compute algorithm performs correctly (that is, the Verify algorithm is correct and the 
Blind/Unblind algorithms provide information theoretic secrecy). Also assume that access to the Compute 
algorithm is available only in a black-box manner via oracle O that knows the parameter master-key. 
We can then define the security of the O-SAOWF as follows. We say that a PPT algorithm A breaks 
the O-SAOWF if it is able to "strongly invert" the O-SAOWF and compute inverses in G having only 
black-box access to the Compute algorithm. We call this the Group Inversion Problem (GIPq). Formally 
the advantage of A in solving GIPg is defined as 



Definition 2.5. We say that algorithm A (ko, S,e) -breaks the O-SAOWF f if A runs at most time S; 
A makes at most ko adaptive queries to the oracle O implementing the Compute algorithm; and GIP- 
Adv_A(r) is at least e. Alternatively we say that the O-SAOWF is (ko , 6, ej- secure under an adaptive 
attack if no such algorithm A exits. 

It is clear that a black-box SAOWF / where we extend the definition of computation in property 
P6 to include computation by PV-Oracles, is identical to a "real" computable SAOWF / in terms of 
functionality. However, until now it had been an open question to present even a black-box construction 
of SAOWFs using PV-Oracles. In this work, we present the first practical construction of a black-box 
SAOWF based on a PV-Oracle. In other words, our construction allows private (in the information- 
theoretic sense) and verifiable computation. 5 

Remark 2.6. It should be noted that the above model of an O-SAOWF / that allows black-box com- 
putation of the group operation * on G using a PV-Oracle is different from a black-box group, a notion 
introduced by Babai and Szemeredi |20] (see also |23)> where access to the entire group (G, *) is provided 
through black-box routines and the representation of group elements is opaque. In contrast, the above 
model is an example of a semi black-box group, since the representation of group elements is not opaque 
and certain operations like blinding/unblinding, sampling and verification of composition can be done 
outside of the black-box. 

3 The Underlying Primitives 

In this section, we give a brief overview of the two main underlying primitives of our construction: (i) 
composite order bilinear maps, and (ii) the Paillier cryptosystem. 

5 It is noteworthy that our construction of a black-box SAOWF using a PV-Oracle also serves an existence proof of real 
computable SAOWFs in a way because we achieve almost identical functionality using a black-box construction. 
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GIP-Adv^(r) = Pr 



(params, master-key) «— Setup(r), 
(P,<jp) ^ Sample(params) 



(2) 
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3.1 Bilinear Maps 



Let G\ and Gi be two cyclic multiplicative groups both of the same order n such that computing discrete 
logarithms in G\ and Gi is intractable. A bilinear pairing is a map e : G\ x G\ i— » G2 that satisfies the 
following properties: 

1. Bilinearity: e(a x ,b v ) = e(a,b) xy Va,6 G Gi and x, y G 1 n . 

2. N on- degeneracy: If g is a generator of Gi then e(g,g) is a generator of G2. 

3. Computability: The map e is efficiently computable. 
The above properties also imply: 

e(ab, c) — e(a, c) • e(b, c) Va, b,c E G\ 

e(a, 6c) = e(a, 6) • e(a, c) Va, b,c E G\ 

Additionally, we assume that it is easy to sample elements from G±. In a practical implementation, 
the group Gi is the set of points on an elliptic curve and G2 is the multiplicative subgroup of a finite 
field. The map e is derived either from the modified Weil pairing 22J|22| or the Tate pairing [21]. We will 
assume that the smallest prime factor of n is > 2 171 so that the fastest algorithm for computing discrete 
logarithms in Gi (Pollard's rho method [23 p-128]) takes > 2 85 iterations [221 - 

3.1.1 Problems in Bilinear Maps 

It is clear that irrespective of whether n is prime or composite, both G\ and Gi have generators. Fix 
some generator g of Gi and define the following problems. 

Computational Diffle-Hellman Problem [CDHP( s Gl )]: Given g x ,g y E Gi, output g xy E G%. 

Decision Diffie-Hellman Problem [DDHP( g Gl j]: Given g x ,g y ,g z E G\, output 1 if z = xy G Z n ; 

otherwise output 0. 

Inverse Diffie-Hellman Problem [IDHP( 9Gl )]: Given g x E G\ for some x E Z*, output g x l x E G\. 

The following result was noted by Joux and Nguyen |26|. 
Lemma 3.1. DDHP^ g Gl ) (the decision Diffie-Hellman problem) is easy. 

Proof. Clearly, from the properties of the mapping, z = xy E Z„ if and only if e{g, g z ) = e{g x , g v ). Thus, 
solving DDHP( 9i G 1 ) is equivalent to computing the mapping e twice. □ 

The next theorem shows that the computational Diffie-Hellman problem is random self-reducible in 
the group G if 4>{n) is known. 

Theorem 3.2. IDHP( giGl ) => CDHP( gfil ) if <j)(n) is known. 

Proof. We must show that given an IDHP t g Gl ) instance g x E G\ for some x E Z* and access to a 
CDHP^Qj) oracle, we can efficiently compute g 1 ^ G G\. This follows from the following facts. 

1. Fact. From Euler's theorem [23 p. 69] we know that Mu E Z* u^ n ^ = 1 mod n. Equivalently, 
u 4>{n)-i = x/umodn. 

2. Fact. Given any pair g u ,g v E G\ for arbitrary u, v E N we can use the CDHP( s Gl ) oracle to 
compute g uv E G\ 

3. Fact. Given any value g u E Gi, we can use the CDHP( g Gl ) oracle to compute g w2 for any i e N 
by the "repeated squaring" method (see [23 P-23] for an example). 
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Therefore, from g x we can efficiently compute h = g^ ' G G± using the CDHP( g oracle and the 
"repeated squaring and multiply" algorithm of [2H1 P-71] (via fact S0 and |3J. Then from factQ] h = g 1 ' 31 , 
and thus, h is the required solution. □ 

Although theorem ^ . 21 savs that IDHP^ ^j CDHP( 9 ^3 if 0(n) is known, it is not clear if the same 
reduction holds when <fi(n) is unknown. In light of this, we make the following hypothesis, necessary for 
the security of our construction. 

Conjuncture 3.1. IDHP^ g Gl - j CDHP^ g Gl ^ if <f>(n) is unknown. 



3.1.2 BDH Parameter Generator 

We will further assume that n = \G\\ = | C2 1 = pq where p, q are large primes such that given the product 
n = pq, factoring n is intractable. We refer the reader to |2U f° r details on generating composite order 
bilinear maps for any given n that is square free. 

Using the idea of > we define a Bilinear Diffie-Hellman (BDH) parameter generator as a randomized 
PPT algorithm BVTL that takes a single parameter r S N and outputs a tuple (e, G\, G 2 ,p, q) such that 
p, q are distinct primes of r bits each, G±, G 2 are two cyclic multiplicative groups of the same order pq, 
and e : Gi x Gi h G2 is a bilinear mapping as defined in section T3. II 

For any PPT algorithm A, denote by CDHP-Adv^(r), the advantage of A in solving CDHP( 9 for 
some security parameter r. Formally, 



CDHP-Adv^(r) = Pr 



A(e,n,Gi,G 2 ,g,u,v) = g xy : 



(e,G u G 2 ,p,q)^BVn(r) s.t. |G X | - \G 2 \=pq, 
n=pq, g ^ d s.t. (g) = G\, (x, y) 2- Z„ 2 , u = g x , v = g y _ 

Similarly, we denote by IDHP-Adv^(r) the advantage of A in solving IDHP^d). Formally, 



(3) 



IDHP-Ad Vy t(r) = Pr 



A(e,n,G- L ,G 2 ,g,u) =g 1,:L 



(e,G 1 ,G 2 ,p,q)^BVH(T) s.t. Id = |G 2 | = pq, 
n = pq, g <^ G\ s.t. (g) — G%, x Z* , u = g x 



(4) 



We will make the following two assumptions for all our constructions. 

Diffie-Hellman Assumption: The computation Diffie-Hellman problem (CDHP( S ,Gi)) is intractable. 
In other words, for all PPT algorithms A, CDHP-Adv^(r) is a negligible function of r. 

Inverse Diffie-Hellman Assumption: The inverse Diffie-Hellman problem (IDHP^ g^) is intractable. 
In other words, for all PPT algorithms A, IDHP-Adv^(r) is a negligible function of r. 



3.2 The Paillier Cryptosystem 

Our idea of constructing the O-SAOWF is to use an oracle as a "Diffie-Hellman problem" solver in the 
bilinear group G\ of composite order n. Since the only known way to solve the Diffie-Hellman problem 
is to compute discrete logarithms, we provide the discrete logarithms to the oracle in an encrypted 
form using an asymmetric cryptosystem. The requirement here is that the encryption algorithm E 
must possess the following multiplicative homomorphic property: for any messages m\,m 2 6 Z*, given 
{E(mi), m-2} or {mi,E(rri2)}, it must be possible to compute E(mim2 mod n) directly without knowing 
the corresponding decryption algorithm D. The Paillier cryptosystem |29| has this property. 6 

6 Although this property is necessary, it is not sufficient; the RSA 1301 and Rabin 1311 cryptosystems also have this 
property. However, our construction based on RSA or Rabin is insecure. 
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The following facts form the basis of the Paillier cryptosystem. Let n = pq, where p, q are distinct 
odd primes. Let A = lcm(p — 1, q — 1) and 4>{n) = (p — l)(q — 1). 

1. Fact. |Z* 2 | = n<f>(n) 

2. Fact. For all w G Z* 2 it is true that w nX = 1 mod n 2 and w x = 1 mod n. 

3. Fact. For all w G Z* 2 it is true that (w x mod n 2 ) = 1 mod n. Thus the mapping L : Z* 2 i— » Z„, 
where = ^ — mo ^ - ^ ~ 1 is well defined. 

We are now ready to describe the Paillier cryptosystem (see for details). 

Key Generation: Generate p, q <^ N, where p, q are large distinct primes. Set n <~ pq and A <— 
lcm(p — 1, q — 1). Generate t Z* 2 such that the order of t is a non-zero multiple of n. This can 
be done by checking that L(t x mod n 2 ) is invertible in Z„. The public key is (t,n) and the private 
key is (A, n). 

For convenience in this paper, we will use the notation E, D to denote the encryption and decryption 
functions respectively for some fixed parameters (A, t, n) whenever the parameters are clear from 
the context. 

Encrypt: To encrypt a message raeZ„, generate random r <— Z* and set 



E(m) = t m r n mod n 2 



The ciphertext is c S Z* 2 . 
Decrypt: To decrypt, compute 



_ L(c x mod ?i 2 ) 
U(C) " L(t* mod n 2 ) E £n 



3.2.1 Homomorphic Properties 

The Paillier cryptosystem has the following homomorphic properties |29) . 

1. Plaintext multiplication: 

Vmi,77i2 G Z„ D(E(mi) m ' 2 mod n 2 ) = D(E(m2) mi mod n 2 ) = m,\m2 mod n 

2. Self Blinding: 

Vm G Z„ Vr G N D(E(m)r n mod n 2 ) = m 

The semantic security of the above encryption scheme is proved under the Decision Composite Resid- 
uosity Assumption (DCRA) .29;, which states that the following problem is hard unless the factors of n 
are known. 

Decision Composite Residousity Problem [DCRP„] Given x <— Z* 2 , output 1 if 3y G Z* 2 s.t. 
x = y n (mod n 2 ) otherwise output 0. 

The DCRA is a stronger assumption than factoring . See |23 EU for a discussion on the bit-security 
of the Paillier cryptosystem. 



4 Our O-SAOWF Construction 

Our construction will describe the four algorithms Setup, Sample, Compute and PV-Compute defined 
in section 12.41 For clarity of presentation, we give the construction in stages. First we describe the 
underlying primitives of our construction and any necessary security assumptions. Next, we describe the 
Setup procedure and elaborate on the structure of the group (G,*) defined by params before describing 
the remaining algorithms. 
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4.1 Setup 

This algorithm generates the system parameters. The input is a single parameter t£N. 

1. Use the BDH parameter generator BVTi of section 13. 1.21 to output (e, Gi, G2,p, q) *— BT>H(t,2), 
where p, q are large distinct primes of ~ r bits each, G\ , Gi are descriptions of two groups both of 
order pq and e : G\ x G\ i— > G2 is a bilinear map (of section fe.lf) . Then pick a generator g «— Gi. 

2. Set n ^ pq and A <— lcm(p — 1, (7 — 1). Then generate an element £ 2- Z* 2 such that the order of 
t is a non-zero multiple of n. The pair (t, n) is the public key for the Paillier cryptosystem. The 
corresponding private key is (A,n). We will denote the corresponding encryption and decryption 
algorithms by E and D respectively. 

3. Generate a,r £ Z*. Then set h <- g Q e Gi and /3 <- E(a) = t Q r™ e Z* 2 . 

4. Output params <— (e, G%, G2, g, t, n, h, (3) and master-key <— A. 

Recall that the Compute algorithm requires as input the parameter master-key and is accessible only 
as a black-box routine via oracle O that implements this algorithm. The value master-key is sent to O 
via a secure channel and the value params is made public. 

4.2 Description Of (G,*) 

From params, the tuple (e, G%, G2, g, t, n) defines the structure of the group (G,*) and the pair (h, (3) 
represents a random element of this group. We now describe the structure of this group. 

1. Consider the set § C G\ defined as 

S = {x\x = g v for some y 6 Z* } 
Clearly, |§| = 4>(n) = Z* and § is exactly the set of elements of Gi having order n. 

2. Define the set G C S x Z* 2 as 

G = {(x,y)\x = g D ^} (5) 
and define a binary operation * on G using the multi-valued mapping 

/:GxG 1 — ► G 
(A,B) 1 > A-k B 

as follows. Let A — (xa,Ha) and B — {xb,Ub)- Then A-k B = (xc,yc)i where 

x c *- x A D{VB) = g D (^)Dfo B ) = XB D(y A ) e Gi (6) 

y c ^ E(D(y A )D(y B ) mod n) G Z ? * 2 (7) 
Thus, xc = gr D ( yc ) and therefore (xc,yc) € G. 

3. Finally, define an equivalence relation ~ on G as follows. For any A, B £ G, where A = (xa,2/a) 
and B — (xb, ys), we say that A ~ B if and only if xa = Xb- This relation is symmetric, reflexive 
and transitive. Thus, it indeed forms an equivalence relation. 

We state without proof the following lemmas (which can be easily verified): 

Lemma 4.1. For any A,B£<&, it is true that A* B ~ B-k A. That is, the relation ~ transforms -k into 
an commutative operation over G. 
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Lemma 4.2. For any A,B,C G G, it is true that (A-k B) * C ~ A * (£? * C). That is, the relation <~ 
transforms * mto an associative operation over G. 

For any i£G, denote by [A] C G the equivalence class of ^4 with respect to the relation ~. Therefore 
we can define an equivalence class [I] C G as follows: 

[/] = {Jt|X~( 5) t)~(s,E(l))} 

Lemma 4.3. For any [A] C G, i/iere exists a unique [B] C G suc/i t/iat [A] * [£>] = [/]. Additionally, 
L4]*[/] = L4]. 

It is clear from the above lemmas that the relation ~ transforms the equivalence classes of G into an 
abelian group with respect to the binary operation *. The order of this group {<p{n)) is effectively hidden 
from anyone who does not know the factors of n. 

For any [A] C G, let the symbol [A] 1 denote [A] * [A] * . . . [A] (i times). The inverse of [A] is denoted 
by [A] -1 - It can be trivially verified that the following are also true. 

[A]* * [Ay = 

([ayY = 

[A]* [A]- 1 = 
{[A]^[BVf = 

We will slightly abuse notation and denote the equivalence class [A] by A. We will use = instead of 
~ to indicate that we are working with equivalence classes. For any j given elements A\, A2, . . . Aj G G, 
we denote A\ * A 2 * . . . Aj by 

i=l 

4.3 Properties Of (G,*) 

We now enumerate some important properties of the group (G,*). 

1. Samplability: G is efficiently samplable. To sample from G, first generate random <r Z* . Then 
set x <— g a G G\ and y <— E(cr) G Z* 2 . We see that (x, y) G G. In this case we call a, the sampling 
information of (a;, y). When we say that A G G has been sampled by us, we imply that the sampling 
information of A is known. The sampling information acts like a trapdoor in our construction. 

2. Trapdoor Computability: Let A, B G G be given. Anyone who has sampled either one of A or 
B can compute A-kB efficiently as follows: 

Let A = [xaiVa) and B = (xb,Vb) be given. Additionally, we are given a a €E Z*, the sampling 
information of A. That is, xa = g aA £ Gi and = E(o-a) G Z* 2 . To compute A*B, first generate 
random r £ Z*. Then set x <— i B ffi G d and y <— • r™ G Z* 2 . 

Therefore, x = ib d ' w ) and due to the homomorphic properties of the Paillier cryptosystem, we 
find that y = E((jaD(j/b) mod n) = E(D(j/a)D(j/s) mod n). Thus, (x, y) = A-kB. 

3. Trapdoor Strong Invertibility and Exponentiation: Let A, B G G be given. Anyone who has 
sampled A G G can also compute A -1 * _B because if <ta G Z* is the sampling information for A 
then cr^ 1 G Z* is the sampling information for A^ 1 . Also, for any i G Z, the sampling information 
for A 1 G G is (o- A ) 4 G Z*. 

4. Non-computability: Let A, B G G be given. Anyone who has nof sampled at least one of 
{A, £>, A -1 , B -1 } cannot compute A* B without knowledge of A. 

5. Strong Non-invertibility: Let A, B G G be given. Anyone who has not sampled at least one of 
{A, A^ 1 } cannot compute A^ 1 -k B without knowledge of A. 



[A] l +i \ 

[A] ij I V [A],[B] C G 

[A]° = [T] ( Vi,j,k€Z 

L4p*[Bp J 
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6. Indistinguishability: Let (x, y) £ G\ x Z* 2 be given. It is infeasible to decide if (x, y) £ G 
without knowledge of A. 

7. Black-Box Computability: Let A, B £ G be given. Anyone knowing A has the ability to compute 
A-k B using equations [7| and H3 

8. Black-Box Distinguishability: Let (x, y) € Gi x Z* 2 be given. Anyone knowing A, also has the 
ability to decide if (x, y) £ G by virtue of equation 

4.4 A Concrete O-SAOWF Construction 

We now describe a concrete construction of an O-SAOWF under definition 12.41 In addition to the 
four main algorithms Setup, Sample, Compute, PV-Compute and the three algorithms Verify, Blind and 
Unblind used as subroutines in PV-Compute, our construction has four 'auxiliary' algorithms Verify-ln- 
Group, Verify-Not-ln-Group, TD-Exponentiate and V-Compute. Thus, our construction has a total of eleven 
algorithms. The Setup algorithm is described in section Fi~T1 while the Sample algorithm is described in 
section IP1 item^ 



A-l. 



Setup 

Input: t £ N 

Step-1. Generate {e, G%, G2, g, t, n, h, (3, A} as described in section PTTl 
Step-2. Set params «— (e, G%, G2,g, t, n, h,j3) and master-key <— A. 
Output: (params, master-key) 



A-2. 



Sample 

Input: params 

Step-1. Generate a a, t Z* 

Step-2. Set x A <- g aA eGi;y A <- t aA r n mod n 2 = E(a A ) £ 
Step-3. Set A *~ (x A ,y A ) £ G 

Output: (A, a A ) £ G x Z* [a A is the sampling information of A] 



Remark 4.4. From the value params, the pair (h,/3) £ G such that its sampling information a £ Z* is 
unknown (see section l4~TJl . 

A high level description of the Compute algorithm is given below. 



A-3. 



Compute 

Input: (master-key, params, A,B), where A, B £ G\ x Z* 2 

? 

Step-1. Use master-key = A to decide if (A,B) £ G 2 [See section EDA item|H] 

Step-2. If (A, B) £■ G 2 , set C <— I £ G; otherwise, compute A-k B using A and set C «— A * B 

[See section l4~3l item [7] 
Output: C £ G 



Functionality Of Oracle 0: Access to Compute is provided in a black-box manner via the oracle O 
that knows master-key and params. The oracle works as follows. 
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Oracle O 

Input: A,B £ Gi x Z* n2 

Step-1. Set C <— Compute(master-key, params, A, B) 

Output: CeG [We say G = 0(A, B)] 



Remark 4.5. A query to oracle O on inputs (^4, B) ^ G 2 requires at most two exponentiations in G\ 
and Z* 2 . On the other hand, if (A, B) £ G 2 , the query always involves three exponentiations in G\ and 
Z* 2 . Also, 0{A,B) = A*B whenever (A,B) £ G 2 . 

Remark 4.6. Assuming that access to oracle O is authentic, we can use O to decide if any given pair 

? 

(x, y) £ G. Additionally we can use O to compute A 1 for any A £ G, z G N using the "repeated squaring 
and multiply" method [251 p. 71]. 

Since access to oracle O is over an insecure public channel, we cannot assume that oracle replies are 
authentic. Denote by O* the unauthenticated oracle (which could be an active adversary) supposedly 
claiming to be oracle O. 

The following algorithm Verify-ln-Group uses oracle O* to decide that any given pair (x, y) £ Gi x Z* 2 
is indeed an element of G. If (x,y) £ G the algorithm outputs with a high probability. 



A-4. 



Verify-ln-Group 

Input: (params, x,y) such that (x,y) £ G\ x Z* 2 

Step-l. Generate ui, t*2, v\, V2, <— 1 n and W\,w<i <— Z* 
Step-2. Set x x <- x Ul g Vl G Gf, x 2 <- a; 112 ^ 2 G Gi 

5iep-5. Set yi 4- y u H Vl wi n mod n 2 ; y 2 <- y U2 t V2 w 2 n mod n 2 ; result <- 

Set (x',yO ^ 0*((x 1 ,y 1 ),(x 2 ,y 2 )) 
Step-5. If e(x',g) — e(xi,x 2 ), set result «— 1 
Output: result G {0, 1} 



We prove in appendix^that the above algorithm is sound (under a non-standard assumption). That 
is, if (x,y) ^ G then the algorithm outputs with a high probability. However, the converse is not true. 
Hence, the above algorithm cannot be used to conclude that (x, y) ^ G if the output is 0. 

In some cases, we may need to decide with certainty that a given pair (x, y) is indeed not an element 
of G. The next algorithm Verify-IMot-ln-Group enables us to do this using oracle O* . If (x,y) £ G the 
algorithm outputs with a high probability. 



A-5. 



Verify-Not-ln-Group 

Input: (params, x, y) such that (x,y) £ G\ x Z* 2 

Step-1. Set a security parameter j and generate a j-bit string a 2- {0, lp. Set result <— 0. 
Initialize another j-bit string b £ {0, lp'. 

Step-2. Repeat for i from 1 to j (denote by a* and bi, the i th bits of a and b respectively). 

i. If cii = 1, set (x',y ) <— Sample(params); otherwise, set (x',y ! ) <— (x,y) 

ii. Set bi <— Verify-ln-Group(params, x' , y') 
Step-3. If (a = b), set result <— 1 

Output: result £ {0, 1} 
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The following lemma shows that the Verify-IMot-ln-Group algorithm is sound if the Verify-ln-Group 
algorithm is sound. 



Lemma 4.1. If the Verify-ln-Group algorithm is sound then the Verify-Not-ln-Group algorithm is also 
sound. 

Proof. We must show that if the Verify-Not-ln-Group algorithm outputs 1 then (x,y) g" G. 

If {x,y) G G, then (x',y') in step 2 of Verify-Not-ln-Group is always an element of G. Now assume 
that the Verify-ln-Group algorithm is sound. Thus, the probability that = 6, is ^ for any i. Also, each 
bit ai is independent of other bits. Thus, for a total of j bits, Pr[(<2j = &i)Vl < i < j] = ~. In other 
words, if (x,y) G G the probability that the Verify-Not-ln-Group algorithm outputs 1 is which can be 
made arbitrarily small. □ 

The next algorithm Verify takes as input a 3-tuple (^4, B, C), where A, B G G and C £ Gi x Z* 2 . It 
outputs 1 only if C = A ★ B 



A-6. 



Verify 

Input: (params, A, B, C) such that A,Be& and C G G\ x Z* 2 . 

Assume that the input is correct. 
Step-1. Set (x A ,y A ) <- A; (x b ,Vb) <- B; (x c ,yc) <- C; result <- 
Step-2. If e(xc,g) = £(xa,Xb), set result <— Verify-ln-Group(params, ip, yc) 
Output: result G {0, 1} 



Clearly, the Verify algorithm is sound if the Verify-ln-Group algorithm is sound. We observe that we 
can remove the function call Verify-ln-Group(params, xc, yc) m step 2 of the above algorithm (and simply 
set result <— 1 instead) without introducing any weakness in the construction. However, including this 
call enables us to reduce the soundness of other related algorithms to the soundness of the Verify-ln-Group 
algorithm. 

Algorithm V-Compute takes as input two elements A, B G G. It uses the Verify-ln-Group algorithm as 
a subroutine and computes A*B verifiably by querying O* . 



A-7. 



V-Compute 

Input: (params, A, B) such that A,BeG. Assume that the input is correct. 
Step-1. Set C <- 0*(A, B) G d x Z; 2 
Step-2. If Verify(^, B, C) = 0, set C <- I G G 
Output: C G G 



Clearly, the soundness of the above algorithm reduces to the soundness of the Verify algorithm. As a 
consequence, we state the following theorem which says that if the Verify algorithm is sound then having 
indirect access to the oracle O via some active adversary O* is the same has having authentic and public 
access to O. 

Theorem 4.2. If the Verify algorithm is sound then O is a V-Oracle. 

The next algorithm, TD-Exponentiate ("trapdoor-exponentiate") takes as input (i) the sampling in- 
formation o~a G Z* of an element A G G, (ii) an arbitrary index i G Z, and (hi) an element B G G. It 
outputs A 1 * B G G. TD-Exponentiate will be primarily used as a subroutine in the Blind and Unblind 
algorithms. 
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A- 



TD- Exponentiate 

Input: (params, ga, i, B), where ga G Z* ; * £ 2; S £ G. 

Here, a a is the sampling information of A £ G. Assume that the input is correct. 

Step-1. Generate r Z* 

Step-2. Set a ^ a A l £ Z* ; (x B ,y B ) ^BeGiX Z r * i2 

Step-3. Set x <- x B ff £ d; y <- (ys) CT r™ = E(ctD(j/ b ) mod n) G Z^ 2 

Output: (x, y) £ G 



The next two algorithms Blind and Unblind work as follows. 

R 

Blind takes as input a value A £ G. It generates 2? <— G and outputs (A*B) £ G, along with gb G Z* , 
the sampling information of B. Unblind is the inverse of Blind. It takes as input an pair (A, cjb) £ G x Z* 
and outputs A * B^ 1 £ G such that gb is the sampling information of B £ G. 



A-9. 



Blind 

Input: (params, A) such that A £ G. Assume that the input is correct. 

Step-l. Set (B,<jb) <— Sample(params) e G x Z* [2? will be ignored] 
Step-2. Set <— TD-Exponentiate(params, C7 B , 1, -A) £ G 
Output: (x, y, gb) G G x Z* 



A-10. 





Unblind 




Input: 


(params, A, 


ctb), where A £ G and as £ Z*. 




Here, gb is 


the sampling information of B £ G. Assume that the input is correct. 


Step-1. 


Set (x, y) 


- TD-Exponentiate(params, gb, — 1, -A) G G 


Output: 


(x,y) £ G 





Lemma 4.3. The Blind/Unblind algorithms provide information theoretic secrecy. 

Proof. Clearly, the Blind and Unblind algorithms are inverses of each other. Now, if the output of the 
Sample algorithm is uniformly distributed over G then the output of the Blind algorithm is also uniformly 
distributed over G, independent of the input. □ 

Algorithm PV-Compute takes as inputs A, B £ G. It uses the Blind, Unblind and and V-Compute 

algorithms as subroutines to compute A* B privately and verifiably. 



A-ll. 



PV-Compute 

Input: (params, A, B) such that A, B £ G. Assume that the input is correct. 

Step-1. Set {A',g A ') <^ Blind(params, A) £ G x Z* 

Step-2. Set (B',a B >) <^ Blind(params, B) £ G x Z* 

Step-3. Set C <- V-Compute(A', B') £ Gi x Z* n2 

Step-4- Set C <— Unblind(params, Unblind(params, C', ga'), cfb>) G G 

Output: C £ G 
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Since the Blind/Unblind algorithms provide information theoretic secrecy Qemma l4~3"jl . the soundness 
of the above algorithm also reduces to the soundness of the Verify algorithm. As a consequence, we state 
the following theorem which says that if the Verify algorithm is sound then having indirect access to the 
oracle O via some active adversary O* is the same has having private and authentic access to O. 

Theorem 4.4. If the Verify algorithm is sound then O is a PV-Oracle. 

This completes our O-SAOWF construction. Figure El gives the dependencies between the eleven 
algorithms. We can essentially use PV-Compute(A, B) to denote f(A,B), where / is a real SAOWF 
defined using (G,*) in section |2~T1 When considering the security, we will assume that O takes one time 
unit to respond to each query and that the sum of the number of queries to O and the running time of 
an adversary attacking the O-SAOWF is bounded by a polynomial in r. 



TD- Exponentiate 


Sample 












Unblind 


Blind 





Verify- Not-ln-Group 





Verify 










Verify- In- Group 




Figure 5: Dependencies between the algorithms. 



4.5 Notation 

For convenience we will adopt the following shorthand notation. 

1. We will denote TD-Exponentiate(params, a a, i, B) by T((Ta, i, B). 

2. Since invoking V-Compute is equivalent to making a public query to oracle O ( Theorem 14.20 . we 
will denote V-Compute(params, A, B) simply by 0(A, B). 

3. Invoking PV-Compute is equivalent to making a private query to oracle O ( Theorem 14.41 . We will 
denote PV-Compute(params, A, B) by 0(A, B). 

4. For any set of k elements {A±, A 2 , . . . Ak} C G, we denote by (Ai) the value 

fe 

0{0{...0(A 1 ,A 2 ),...),A k ) = l[A i 

i=i 

Similarly, we denote by (^i) the value 

fe 

d(8(...8{A 1 ,A 2 ),...),A k ) = l[A i 



17 



5. We will denote by £{A, i) an algorithm to compute A % for any A £ G with the repeated squaring 
method using V-Compute as a subroutine. This algorithm does not provide privacy of inputs. 
However, the outputs are verifiable. 

6. We will denote by £ { A, i) an algorithm to compute A 1 for any A e G with the repeated squaring 
method using PV-Compute as a subroutine. This algorithm provides information theoretic privacy 
of inputs and verifiability of outputs. 

Remark 4.7. Computing A % using algorithms £ and £ will amount to fa c ■ log(i) queries to oracle O 
(for constant c) with the repeated squaring method (251 P-71]. 



4.6 Security Of The Construction 



The oracle is primarily used as a "computing device" in the proofs. We assume that the oracle always 
functions correctly and keeps the trapdoor information A secret. Recall that out of params, the pair 
(h, (3) £ G. Denote this value by P. The security of our O-SAOWF relies on the difficulty of inverting * 
with respect to P. One way to do this would be to extract A from the oracle. However, this is equivalent 
to factoring n so we should look at indirect methods for inverting * (with respect to P) using the oracle. 
The security of all our constructions reduces to the difficulty of the following problem: 

Group Inversion Problem [GIPjj]: Let P = (h, /?) <— G be uniformly sampled using secret a <— Z* 
such that h = g a £ Gi and f3 = E(a) £ Z* 2 . Given P, compute p- 1 = (h',/3') £ G, where 
hi = g 1/a e Gi and f3' = E(l/a) £ Z* 2 , possibly by using the oracle O. 

Computing h! becomes an instance of the inverse Diffie-Hellman problem IDHP( 9 Gl ) defined in sec- 
tion 13.11 which is believed to be hard even if the Diffie-Hellman problem is easy. We hypothesize that 
any method of reducing IDHP( g to CDHP( ff g^) will yield a method of reducing GIPg to the oracle 
O. We define the advantage of an algorithm for solving the group inversion problem as follows. 

Definition 4.8. For any algorithm A, the advantage of A in solving the group inversion problem GIP- 
Adv^{r) for some security parameter r is defined as: 



GIP-Adv A {r) = Pr 



A°^{e, Gi,G 2 ,n, g, t, h, 0) = (g 1 ^, E(l/a)) 



(e,Gi,G 2 ,p, q) 



t£l* n2 s.t. 



BVH{t) s.t. Id | = \G 2 \ 
R C n s.t. ( 5 ) 

\{t)\=n\ h = g a , = 



pq, a^Z;, g 



= pq, 

= Gi, 
E(a) 



(8) 



Here BT>TL is the BDH parameter generator algorithm (section VS.l.ty) : E denotes the Paillier en- 
cryption algorithm with public key (t,n) (section and O is an oracle implementing the Compute 
algorithm (section \4-4j )- 

For any algorithm A, let 8a denote the upper-bound on the running time of A, and let fc(o..4) denote 
the upper-bound on the number of queries to oracle O by A. Our security is based on the following 
conjuncture. 

Conjuncture 4.9. For any algorithm A such that fc(c^t):^ £ Poly{r), GIP-Adv^r) is a negligible 
function in r. In other words, for all ko,5,l/t £ Poly{T), the O-SAOWF is (kd 8, e)- secure under an 
adaptive attack using detinition \2. 51 



5 Applications Of O-SAOWFs 

In this section we describe three applications of O-SAOWFs: (a) Multiparty-Key Agreement, (b) Signa- 
tures and (c) Broadcast encryption (another application, Identity Based Encryption (IBE) is described 
in appendix lB|) . 
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5.1 Key Generation (Setup PKI) 

To participate in the protocols, each user i must have a certified public key and the corresponding private 
key. This is generated as follows. Recall that out of params, the pair (h, 0) = P £ G, This will serve as 
a common starting value for all users. 

1. User i generates (X^ctxJ «— Sample(params) 6 G x Z*. The private key is ax t - 

2. User % computes the public key Y.- L <— T(<JXi, Ij-P) = Xi* P. The public key is made available in 
an authentic way. 



5.2 Multiparty Key Agreement 

In this section, we describe the multiparty key agreement protocol of Rivest, Rabi and Sherman using 
O-SAOWFs. At a high level, the objective of a multiparty key agreement protocol is to enable a set of 
users to compute a shared secret key (the group private key) such that no one outside the set can compute 
this key. In our model each group private key also has a corresponding group public key, which can be 
used for join/merge operations and for verifying (group) signatures created using the group private key. 
Our construction also defines a partial public key that is used in the intermediate steps for group private 
key computation. 



5.2.1 Key Agreement Protocol 

[k users] A set s = {1, 2, 3 . . . fc} of k users compute a shared group key. 

1. Partial public key: Each user j e s first computes the partial public key 

Y .\u} ~ (°)*0rt) = n n = P k ~ 1 * n *i 

2. Group Private Key: Each user j £ s then computes the group private key 

fc 

K s «- T{a Xj , 1, Y s \ {3} ) = Xj * Y A{i} = P^ 1 * J[ X, 

i=l 

3. Group Public Key: The group public key for s is computed by anyone as 

Y s <- (O)^ (Yi) = Y[ Y i = pk * II Xi 

l ~ i=l i=l 

Thus, the partial public key of user j in set s is the group public key of the set s\{j}. 



5.2.2 Overview Of The Key Agreement Protocol 

1. Complexity: For a group of fc users, fc — 2 oracle queried are required for each user to compute the 
shared key. Thus, total k(k — 2) queries are required for all the fc users. However, no specific ordering 
is required between the users (users can compute the shared key after receiving a ciphertext). 
Additionally, oracle queries can be batched. 

2. Universal Escrow: Given a public key Yi — Xi* P, the oracle O can compute the corresponding 
private key <rx 4 ■ Therefore, O has universal escrow capability. 

3. N on- interactivity: Assuming that all the public keys Yi are known in advance, any user can compute 
the shared key without interacting with the other users. 

4. Multiple copies of the Oracle: An arbitrary number of "copies" of the oracle can be run without 
any compromise in security. 
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5.2.3 Join And Merge Operations 

Clearly, members can join any group and many groups can merge arbitrarily. For simplicity we only 
demonstrate the merge operation between two disjoint sets a and b of users. 

Example [Merge] A set a of users merges with another set b of users such that a P\ b = 0. Further 
assume that a has the private key K a and the public key Y a . Similarly, b has the private key Kb and the 
public key Yb 

1. Group private key: Each member i 6 a computes K aU b <— 0(K a ,Yb), while each member j € b 
computes K aUb <- 0(K b ,Y a ). 

2. Group public key: The group public key corresponding to the group private key K aU b can be 
computed as Y aUb <— 0(Y a ,Y b ) = Y a *Y b . 

In the above merge procedure, we assumed that a and b are disjoint (i.e. they have no common members). 
In case the sets are not disjoint, we could still use the above merge procedure without any serious drawback 
as long as this instantiation of O-SAOWF is only used for key agreement (and not for signatures, which are 
discussed below in section lo~3l . In case the same instantiation of O-SAOWF is also used for signatures, we 
would require the merge procedure to eliminate duplicate users in the merged set (this can be efficiently 
done if the intermediate values in the partial public key computation are cached) . 

5.2.4 Forward Secrecy 

Due to the above mentioned merge procedure, the compromise of the group private key of a set a of users 
compromises the group private key of any other set c of users whenever c ~D a. To overcome this weakness, 
if the private key of group a is compromised, at least one member of a must compute a new public-private 
key pair. Compromise of a group private key of a set a of users, however, does not compromise the group 
private key of any set c of users whenever c C a. 

5.2.5 Security Of The Key Agreement Protocol 

From the key agreement procedure, it is clear that if the adversary knows the private key of user i£a 
then the adversary knows the group private key of the set a of users. Additionally, if the adversary knows 
the group private key of the set a then the adversary also knows the group private key of any set that 
properly includes a. Thus, we restrict the adversary to output the private key of any set a of users such 
that the adversary knows neither the group private key of any proper subset of a nor the private keys 
of any users in the set a. We show that any algorithm that breaks the above key agreement protocol 
(with the above restriction) can be used to compute P^ 1 . First observe that the secret key K a for the 
set a = {1, 2, ... k) of users is related to the public keys {Yi, Y?, . . . Y^} as: 

k k 

K a = P k - 1 l[x l = p- 1 *l[Y i (9) 

i=i i=i 

We use the security model of security of multiparty key agreement similar to the one used in 
namely security under a one-time key attack. The difference here is that we allow the attacker to choose 
the set of public keys to attack. Formally, we define a one-time key attack on a multiparty key agreement 
using game 1. 

Game 1 

Initialize. To initialize the game, the challenger gives a security parameter r to the adversary. 
The adversary A responds with a value fj,± £ N 

Challenge. The challenger C performs the key generation phase and gives a set {Fi, Y2, • ■ -^i} 
of fix public keys to A. 
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Output. Eventually A outputs a pair (a, K a ). 

Result: A wins the game if a C {1, 2, . . . /ii} and K a is the group private key of a. 

Definition 5.1. We say that adversary A (/ii, Si, ei) -breaks the key agreement protocol in an one-time 
key attack if for a total of /ii public keys output in the setup phase A runs at most time Si and the 
probability of A winning game 1 is at least ex- Alternatively we say that the key agreement protocol is 
(//i, Si, ei) -secure under a one-time key attack if no such adversary exists. 

The next theorem shows that the key agreement protocol is secure under a one-time key attack if the 
group inversion problem is hard. 

Theorem 5.1. Let the O-SAOWF be (■, 5, e) -secure under an adaptive attack. Then the multiparty key 
agreement protocol is (fii, Si, ei) -secure in a one-time key attack, where S < Si + 0(ci/xi); and e = t\. 
Here, ci is the time for a multiplication in Z* . 

Proof. Let the O-SAOWF be (•, S, e)-secure under an adaptive attack and let A be an algorithm that 
(/ii, Si, ei)-breaks the key agreement protocol in a one-time key attack. We construct an algorithm B 
that uses A to solve GIPg in at most 5 time with probability at least e, thus arriving at a contradiction. 
The input to B is P G G and its goal is to output P^ 1 . B simulates the challenger of game 1 and runs 
algorithm A as follows. 

Initialize. B gives the security parameter r to A who replies with fii. 

Challenge. B generates (YijOvJ, (Y"2,0Y 2 ), . . . (Y fll ,ay^ ) <— Sample(params) 6 G x Z* and gives 
the Ox + l)-tuplc (Yi,Y 2 ,... F Ml! P) to A. 

Output. Eventually A outputs a pair (a, K a ). 

Result: If (a, K a ) is a winning configuration, then a C {1, 2, . . ./ii} and K a = P^ 1 ★ Yii^a ^ by 
virtue of equation |5J Algorithm B then proceeds as follows: 

(a) If (a, K a ) is not a winning configuration, B reports failure and terminates. 

(b) We know that {a, K a ) is a winning configuration. Algorithm B sets ay <— Yiiea a Yi mod n. 
Thus, ay is the sampling information of Y\ iea Y{ (see section FQ1 item|2J). 

(c) B sets result <— T(ay, —1, K a ) and outputs result. 
Algorithm B is correct because 

T{a Y , -l, K a ) = (Q y;f 1 * K a = (Q r.f 1 * f 1 * [] = p- 1 

iGa ida zGa 

The running time of B is the running time of A plus the time required for generating the fii public 
keys; the time required for computing T; and the time required for at most \ii multiplications in Z* . 
The probability of B's success is the same as the probability of ^4's success. This gives the bounds. □ 

5.3 Signatures 

As noted in SAOWFs give rise to signature schemes. Here, we describe two signature schemes 
using O-SAOWFs: ordinary signatures and multi-user signatures. A signature scheme consists of three 
algorithms KeyGen, Sign and VerifySig, where the algorithms have their usual constraints [22] ■ Our 
message space is N. 
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5.3.1 Single-User Signatures 

This is a variation of the scheme for single- user signatures described in 6 . 

KeyGen. This algorithm is described in section The private key of user i is (Jx t £ Z*. The 
public key is Yj, = JQ * P e (G. 

Sign. Let mENbe the message. To sign to, user i computes the signature Su m ) as: 

S {i<m ) ^T(a Xi ,m,P)=X i m *P 
VerifySig. To verify a signature S^m) of user i on message to, we check if the following holds: 

f(y i ,TO) = o(% m) ,£(p,TO-i)) 

In other words, we check if >V m = Sa. m -\ * P m_1 

5.3.2 Multi-User And Ring Signatures 

The above construction of single- user signatures can be trivially extended to multi-user signatures. To 
sign messages, members of a group must share a secret group key. 

KeyGen. This algorithm is described in section 1^1 Without loss of generality, assume that any of 
the set a = {1, 2, . . . j} of users want to independently sign messages using the group private 
key K a — P J ~ ★ Y[l=i such that the signatures can be verified using the group public key 

II; , 

Sign. Let to G N be the message. To sign to, any member i £ a computes the signature <5( a)m ) as: 

S {a ,n) «- 0(S(K a , TO), P) =K a m *P 

VerifySig. To verify a signature «S7 a)m ) of user i£aon message to, we check if the following holds: 

£(Y a ,m)lO(S {aim) ,£(P,m-l)) 

In other words, we check if Y a m = Sr atm \ * p m - 1 

Given a signature of some set a, it is not possible for any group controller to revoke the anonymity of 
the signer (since there is no group controller). Thus, the above scheme is an example of ring signatures 1341 . 

5.3.3 Security Of The Signature Schemes 

The strongest model for security of signatures is security against existential forgery under an adaptive 
chosen message attack 22 , where the attacker is required to output a successful forgery under the 
challenge public key after having access to the signing oracle. However, we only prove the security of our 
schemes in a weaker model that we call security against existential forgery under a non-adaptive chosen 
message attack. In a non-adaptive attack, the attacker is not allowed to make any signature queries. We 
define this using the following game between the challenger C and an adversary A. 

Game 2 

Initialize. To initialize the game, the challenger gives a security parameter r to the adversary. 
The adversary A outputs [i-i G N. 

Challenge. The challenger C performs the key generation phase and gives a set {Yi, Y2, . . . Y^ 2 } 
of fi2 public keys to A. 

Output. Eventually A outputs a tuple (a, S^m), to). 
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Result: A wins the game if a C {1, 2, . . . ^2} and Sr ajm ) is a valid signature by a on the message to. 

Definition 5.2. We say that adversary A (p2, $2, £2) -breaks the signature scheme in a non-adaptive 
chosen message attack if for a total of (12 public keys output in the setup phase A runs at most time S2 
and the probability of A winning game 2 is at least £2. Alternatively we say that the signature scheme is 
(a*2, o~2, t2)~secure under a non-adaptive chosen message attack if no such adversary exists. 

The next theorem shows that any algorithm that is successful in existential forgery of signatures under 
a non-adaptive chosen message attack can be used to compute P _1 . First observe that S^ m -\ can be 
rewritten as 

S {a , m )=K a m *P = P 1 - m *(([Y t r (10) 
Also note that Game 2 considers both single and multi-user signatures. 

Theorem 5.2. Let the O-SAOWF be (ko,S,e) -secure under an adaptive attack. Then the signature 
scheme is (/X2, ^2, £2) -secure under a non-adaptive chosen message attack, where ka < C2log(n); S < 
#2 + 0(^2)/ and £ > £2- Here, C2 is a constant. 

Proof. Let the O-SAOWF be (ko , 6, £)-secure under an adaptive attack and let A be an algorithm that 
(a*2) $2, £2)-breaks the signature scheme in a non-adaptive chosen message attack. We construct an al- 
gorithm B that uses A to solve GIPg in at most 6 time with probability at least e, thus arriving at a 
contradiction. The input to B is P G G and its goal is to output P^ 1 . B simulates the challenger of game 
2 and runs algorithm A. 

Initialize. B gives the parameter r to ^4, who outputs /X2 G N. 

Challenge. B generates (Y%, cry ), (Y2, (Jy 2 )j ■ ■ • (Yj, oy ) Sample(params) G G x Z* and gives 
the (fj,2 + l)-tuple (Yi, Y 2 , . . . Y^ 21 P) as the input to A. 

Output. Finally A outputs a tuple (a, SV 0jm ), to). 

Result: If the tuple \a,Si a ^ m \,rn) represents a winning configuration, then a C {1,2, . . .^2} and 
S(a,m) = P 1 ^ m -k (Y[ iea Yi) m by virtue of equation 1101 Algorithm B then proceeds as follows: 

(a) If (a, S/ a , m \, to) not a winning configuration, algorithm B reports failure and terminates. 

(b) We know that a C {1,2, ...fx 2 } and S( , m ) = P 1 -™ * (n iea ^i) m - Algorithm B then sets 
C <— £(P,m — 2) = p m ~ 2 and oy <— Jliea °V< mod n. Thus, ay is the sampling information 
of Jliea ( see section f01 itemEJ. 

(c) Finally, i3 sets result <— T(oy, —to, 0(<5j- aim -j, C)) and outputs result. 

Algorithm B is correct because 

T(ay , -to, 0(S (o , ro) , C)) = (JJ Fi) * S (o , m) * C 

i £ a 

= (ii Y ^ m * ( pi_m * n y ^ * ( pm_2 ) = p ^ 

The running time of B is the running time of A plus the time required for generating the /12 public 
keys; the time required for computing T; and the time required for at most \i2 multiplications in Z*. 
The probability of B's success is the same as the probability of A's success. Finally, B queries the oracle 
for computing 0(S/ a<m \, C) and £(P, m — 2). This amounts to a maximum of C2 log(n) queries for some 
constant C2- Thus, we have the required bounds. □ 
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5.4 Broadcast Encryption 

In a broadcast encryption scheme . anyone can encrypt a message addressed to a closed set of users 
using their public keys such that only those users have the ability to decrypt the message (we do not con- 
sider schemes that allow traitor tracing ,'!(> ). Using our method, the size of ciphertexts and public/private 
keys is O(l) and for a set of k users, a total of O(k) calls to the oracle O are required for encryption 
and decryption. A broadcast encryption scheme consists of three algorithms KeyGen, BC-Encrypt and 
BC-Decrypt, where the algorithms have their usual constraints [35| . (We use the prefix 'BC to indicate 
'broadcast'). 

KeyGen. This algorithm is described in section I5"2l Without loss of generality, assume that mes- 
sages will be encrypted to any arbitrary set a = {1,2, ...fe} of k users with public keys 
{Yi, Y2, ■ ■ ■ Yk}. The sender of the message generates the group public key Y a by making k — 1 
oracle queries as follows: 

Y a «- (o) k = (Yi) =]jY i = P k *l[X i 

l ~ i=i »=i 

and any receiver iGa must independently compute the group private key K a by making k — 2 
oracle queries as follows: 

fe k 

*f«<-T(o*,,l, I] Yd = P k - l *J[X i 

We additionally require a cryptographic hash function 7i\ : G\ 1— > {0, 1}', that will be treated 
as a random oracle in the proofs. 7 Our message space is {0, 

BC-Encrypt. To encrypt m g {0, 1}' to the set a = {1, 2, . . . k} of k users with group public key 

Y a , generate (R, <tr) <— Sample(params) e G x Z* and compute 

c x <-m®H(T(o- R ,l,Y a )) =m@H{R*Y a ) 

C 2 ^T(a R ,l,P) = R*P 
Here © denotes the XOR operator. The ciphertext is C — (c\, C2) G {0, 1}' x G. 
BC-Decrypt. To decrypt ciphertext (ci, C2) using group private key K a , compute 

m ^ ci ® H{d(K a , C 2 )) = ci © H(X Q * C 2 ) 

The decryption is correct, because for a legitimate ciphertext we have 

fe fc 
(A' Q *C 2 ) = (P k - 1 ^]Jx l )*(Ri,P) = R*P k *Y[Xi = R*Y a 

i=l i=l 

5.4.1 Security Of Broadcast Encryption 

We use a restricted model for security called security under an adaptive chosen plaintext attacks (IND- 
CPA). In this model, we fix some arbitrary set a = {1, 2, ... k} of k users and require the adversary to 
attack the semantic security of the scheme without access to a decryption oracle. However, we allow the 
adversary to choose the subset of keys it is attacking. Since full security in the sense of adaptive chosen 
ciphertext attacks (IND-CCA) in the random oracle model can be achieved using the Fujisaki-Okamoto 
transformation [37j, we only prove security in the IND-CPA model. IND-CPA security of a broadcast 
encryption scheme is defined using the following game between a challenger C and an adversary A. 

7 To construct this hash function, let A = (x, y) £ G 6 Gi X Z* be some input and let Hi : G\ {0, 1}' be a hash 
function. Then H(A) = Hi(x). 
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Game 3 



Initialize. The challenger C gives a security parameter r to the adversary A, who outputs a tuple 
/13. The challenger performs the key generation phase and gives a set {Yj., Y%, . . . Y^ 3 } of 113 
public keys to A. 

Challenge. A generates two messages mo, mi along with a set a C {1,2,... ^3} of users. The 

challenger chooses a bit b *— {0, 1} and outputs the encryption of m& under the group public 
key Y a of a. 

Guess. Eventually A outputs a bit b' 6 {0, 1} 
Result: A wins the game if 6 = 

We refer to such an adversary A as an IND-CPA adversary. We define A's advantage in attacking 
the broadcast encryption scheme Adv-cpa^r) as: 



Adv-cpa_ 4 (r) 



Pr[b 



where the probability is taken over the random coin tosses of C and A. 

Definition 5.3. Let TL be a random oracle. We say that an IND-CPA adversary A (/X3, £3, k^, e$) -breaks 
the broadcast encryption scheme in a adaptive chosen plaintext attack if for a total of 113 public keys 
output in the setup phase A runs at most time 83; A makes at most queries to the oracle for TL; and 
Adv-cpa A (r) at least €3. Alternatively we say that the broadcast encryption scheme is (/Z3, £3, k^, e^)- secure 
under a adaptive chosen plaintext attack if no such adversary A exists. 

The next theorem shows that any IND-CPA adversary A with non- negligible advantage Adv-cpa^(r) in 
the random oracle model can be used to solve the group inversion problem with non-negligible advantage. 
The proof is similar to the proof of [231 lemma 4.3] 

Theorem 5.3. Let TL be a random oracle and let the O-SAOWF be (•, 8, e)- secure under an adaptive 
attack. Then the broadcast encryption scheme is (/X3, 83^3, €3)- secure under an adaptive chosen plaintext 
attack, where 8 < 83 + 6(01/^3) + 6(02^:3); and e > 2 ■ 63. Here, c\ is the time for one multiplication in 
Z* ; and C2 is a constant that depends on the oracle O. 

Proof. Let the O-SAOWF be (•, 8, e)-secure under an adaptive attack and let A be an algorithm that 
(a*3j &3i £3)-breaks the key agreement protocol in an adaptive chosen plaintext attack. We construct 
an algorithm B that uses A to solve GIPg in at most 8 time with probability at least e, thus arriving at 
a contradiction. The input to B is P E G and its goal is to output P^ 1 . B simulates the challenger of 
game 3 and runs A. 

Initialize. B gives the security parameter r to A who replies with ^3. B generates 

(Yi,er yi ), (Y 2 ,<7y 2 ), ■ ■ ■ (1^,%) £ Sample(params) e G x Z*, 

and gives the (^3 + l)-tuple (Yi, Y%, . . . Y^ 31 P) to A. 

7Y-queries. At any time, A may query the random oracle TL. To respond to these queries, B 
maintains a list of tuples called the TL hst . Each entry in this list is a tuple of the form 
(Zj,TLj). Initially this list is empty. To respond to a TL query on Zi, algorithm B does the 
following: 

(a) If the query Zi already appears on the TL hst in a tuple (Zi,TLi), then B responds with 
7~t(Zi) = T~ii- 

(b) Otherwise, B just picks a random string TLi € {0, 1}' and adds the tuple (Zi,TLi) to the 
TL Ust . It responds with TL{Z t ) = Hi. 
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Challenge. A generates two messages mo, mi along with a set a C {1,2, . . .^3} and sends the 

tuple (mo, mi, a) to B. Algorithm B picks random ci e {0, 1}'; generates (C2,cc 2 ) <— Sample; 
defines the C = (ci,C*2); and gives C as the challenge ciphertext to A. Observe that the 
decryption of C is ci H{P~ l * C 2 * ILea 

Algorithm i3 also computes cry^ <— ac 2 1 Iliea mod n. Clearly, ay/ is the sampling infor- 
mation of W — C2 * Iliea ^» ( see section IOI item El- 
Guess. Eventually A outputs a bit b' £ {0, 1}. At this point, B searches the 7i to find a tuple 
(Zj,Hj) such that 

0{Zj,P) = W (11) 

If such a tuple does not exist in the H hst , algorithm B reports failure and terminates. Other- 
wise, B sets result <— T(ay/, — 1, = TU -1 * 2}. Algorithm B outputs result as the solution 
to the GIPg instance. 

Clearly, the simulation provided by algorithm B is sound. Therefore, from claims 1 and 2 in the proof 
of [23 lemma 4.2], we can conclude that 

Pr [a tuple (Zj,Hj) appears in the T-i hst such that equation ITU is satisfied] > 2 • e 3 

Thus, e > 2-63. The running time of B is the running time of A plus the time required for generating 
the /Z3 public keys; the time required for computing T; the time required for searching up to k% entries in 
the ?i hst ; and the time required for at most /U3 multiplications in Z*. Thus, 5 < 5 3 + 0(ci/i 3 ) + 6(02^3), 
where c\ is the time for one multiplication in Z* , and C2 is the time for checking one entry of the 'H bst . 
Thus, we have the required bounds □ 

6 Implementation And Efficiency 

In this section, we will briefly touch upon issues relating to implementation and efficiency of our primitive. 
Although our construction of O-SAOWF has other applications as demonstrated, we feel that its primary 
use will be for highly dynamic group key agreement in applications like "secure chat" . Our system offers 
the advantage that the group key need not be precomputed for communication between group members. 
Thus, there is no specific ordering between the users. 

6.1 Key Size 

Factoring n enables an attacker to solve GIPg- Based on the current state of the art factoring algorithms, 
we suggest using the modulus n of about 313 decimal digits (« 1024 bits) for moderate security applica- 
tions. 8 This also makes computing discrete logarithms in G\ intractable using Pollard's rho method |25l 
p. 128]. Using these parameters elements of G can be represented with at most w 384 bytes. The public 
keys Yi of section I57T1 which are elements of G will be 384 bytes each. The private keys ax t on the other 
hand, which are elements of Z* will be 128 bytes. 

6.2 Query Overhead 

In all the above protocols, we have been working in the equivalence classes of G rather than the individual 
elements themselves. For any A — (x, y) G G, the equivalence class [A] is completely characterized by the 
first element x. The second clement y is used only as an 'auxiliary' input for the oracle, and is useless 
to anyone who does not know the factorization of n. Thus, verification of the second element cannot 
provide additional security. With this consideration in mind, we slightly modify the Verify algorithm of 
section l4~4l and remove the call to the Verify-ln-Group subroutine, since computing the bilinear pairing 
allows verification of the first element x. The computation overhead is given in table [2 

8 See the RSA factoring challenge (http:/ /www. rsasecurity.com/rsalabs/node. asp?id=2092) and the article "TWIRL and 
RSA key size" (http://www. rsasecurity.com/rsalabs/node. asp?id=2004). It is thought that 1024 bit keys will be secure till 
the year 2010 while 2048 bit keys will be secure till the year 2030. 
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Table 1: Computation involved in a query 



6.3 Batch Queries 

For increased efficiency in partial public key computation, we will assume that calls to the oracle can be 
batched as follows, for any i inputs A\, A 2 , . . . Ai £ G, the oracle outputs A\ ★ Ai ★ . . . Ai. In this case, 
for key computation in a group of m users each user must make a batch call requiring a message of size 
0(m) bits to be sent to the oracle. The reply of the oracle constitutes just one element of size O(l). 
However, we lose the ability to verify the output of the oracle in a "batch query" . 

6.4 Verifiability Of The Oracle 

If verifiability of the oracle is not required (i.e. we need protection only from passive adversaries) then 
instead of the bilinear group G\, we can use a finite field having a multiplicative subgroup of order n. 
The set § defined in section FOl is then the (f>(n) elements of this field of order n. 

6.5 Fast Paillier Decryption 

Since each computation of * requires two decryptions, it is desirable to obtain a faster decryption proce- 
dure. In |29l section 6], a fast variant of the Paillier cryptosystem is presented where decryption does not 
require the factors of n and runs with almost quadratic complexity. In this variant, X = (p — l)(q — 1) 
has a large prime factor v. The public key is (i, n) such that the order of t £ Z* 2 is vn. The private key 
is v. Encryption and decryption is described below. 

Encrypt Plaintext is m £ Z„. Generate r Z* and compute c = t m+nr mod n 2 . The ciphertext is c. 

Decrypt Ciphertext is c £ Z* 2 . Compute m = jfe j mod n. 

Semantic security of this variant does not depend on the DCRA assumption (section EO)! but instead 
relies on the weaker Decisional Partial Discrete Logarithm Assumption (DPDLA) 29, theorem 20], which 
states that the following problem is hard. 

Decisional Partial Discrete Logarithm Problem (DPDLP( t „)) Fix any t £ Z* 2 such that the 
order of t is vn for unknown v. Given w £ (t) and x £ Z„, output 1 if 3y £ Z* s.t w = t x y n 
(mod n 2 ) otherwise output 0. 

6.6 Decentralizing The Oracle 

Distributing the oracle is desirable, since each oracle call involves 3 exponentiations in G± (irrespective of 
the decryption algorithm). It is possible to share the Paillier decryption key (known only to the oracle) 
between different trusted authorities with the weakness that compromise of even one would compromise 
the entire system. We close this section with a comparison of our scheme with previously proposed group 
key agreement methods in table El 

7 Conclusion 

In this paper, we presented a practical implementation of a new cryptographic primitive known as an 
Oracle Strong Associative One- Way Function (O-SAOWF). As some practical applications of this prim- 
itive, we presented a one-round key agreement scheme for dynamic ad-hoc groups based on the protocol 
due to Rabi and Sherman 0. 
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Table 2: Comparison of our group key agreement scheme 

The scheme can be extended to group signatures as demonstrated in section f5. 31 In reality, we also 
demonstrate a "pay-per-use" cryptographic primitive using the oracle. The advantage of our scheme 
in comparison with other centralized schemes is that the central controller does not maintain any state 
information of the groups it is managing. It just acts as a "computing device" for users registered with 
it. We envisage several interesting applications of this primitive in the near future. 

As we demonstrate, the ability to "multiply" using the oracle does not give us the ability to "divide" 
in G because its order is unknown. This ensures that an "Euclidean" -like Algorithm does not work here. 
The curious property of our O-SAOWF is that it is weakly invertible. In other words, given A € G, it is 
possible to compute two pairs (B, B') 6 G 2 such that A — B ★ B' even without using the oracle. 9 We 
conclude this section with two open questions. 

1. Prove/disprove coni unct urc 14 . 91 In other words, find the complexity of the group inversion problem 
GIP G . 

9 To see this, sample B <- G. Then B' = B' 1 * A. 



28 



2. Construct a group of hidden order where the group operation is computable and strongly non- 
invertible. In other words, exhibit a practical SAOWF construction. 
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APPENDIX 



A Soundness Of Verify-ln-Group Algorithm 

The reader is referred to section 14.41 algorithm A-Q] for the notation used here. First we define the 
following problem. 

Decision Exponent Class Problem [DECP^^g^]: Given {t, n, g, Gi} C params and a pair (x, y) G 
G\ x Z* 2 , where x — g a and y — t b r n mod n 2 for unknowns (a, b, r) € Z„ x Z„ x Z* , output 1 if 
[a = b (mod p))La = b (mod g)], otherwise output 0. 

The following theorem shows that the Verify-ln-Group algorithm is sound if DECP( t n g Q t \ is in- 
tractable. 

Theorem A.l. If the decision exponent class problem is hard then the Verify-ln-Group algorithm is sound. 

Proof. The input to the Verify-ln-Group algorithm is (x, y) e GixZ%. We must show that if the algorithm 
outputs 1 then (x, y) G G. Let x = g a and y — t b r n mod n 2 for unknowns (a, b, r) G Z„ x Z n x Z*. The 
transformation of (a;, y) to (xi, 2/1) and (x2, 2/2) in step 2 of the algorithm can be denoted by the mapping 

fx : Z„ x Z„ x Z* n » Gi x Z ? * 2 

i-> ( s ™+» ] t'"'+« r ™ w '' m odn 2 ) 

Consider the cases when the algorithm outputs 1. 

Case 1. [a = b (mod p) A a = b (mod g)]: In this case a = b and so (x, y) G G. Therefore, fi(u, v, w) G 
G V u,v,w G domain(fi). In this case, the output of Verify-ln-Group algorithm is consistent with 
its requirements. 

Case 2. [a ^ b (mod p) A a ^ b (mod g)]: It is not hard to prove that the mapping f\ is a bijection in 
this case. Since both sides of f\ have the same number of elements n 2 (j>(n), it is enough to prove 
that /1 is invertible with respect to every element in G\ x Z* 2 . Let (g ai ,t bl ri n mod n 2 ) G G\ x Z* 2 
be an element of the right side of f\. If a preimage {u\,V\, W\) of f\ exists for this element, then 
we must have 

ai = au\ + vi (mod n) "1 

b\ = bu\ + vi (mod n) > (12) 
ri = r Ul ui\ (mod n) J 

Clearly eauation ll2l has a unique solution in (u±, Vi,Wi) for all (01, 61, ri) if and only if (a — b) G Z* . 
In other words, if and only if gcd(a — b, n) = 1. Note that gcd(a — b, n) = 1 is another way of saying 
that [a ^ b (mod p) A o ^ d (mod g)]. 

Since /1 is a bijection, the distributions {(xi, yi)} and {(£2,2/2)} are identical to a random distri- 
bution in Gi x Z* 2 . If the oracle O* can make the algorithm output 1 then we can use O* to solve 
CDHP( 5 (see section ETT|l as follows: 

1. Input is g,g r7l ,g' 72 and our goal is to output g ai<J2 ■ 

2. Generate yi,y 2 <- Z* 2 

3. Set xi <- .g CTl and x 2 <- .g CT2 

4. Give (xi, j/i), (a;2, 2/2) as input to oracle O* in step 3 of the algorithm instead of the real values. 

Since the forged and real distributions of {(x±, 2/1)} and {(x±, 2/2)} are identical, the oracle O* cannot 
distinguish between the forged and real inputs. Accordingly it will reply with (x',y ! ) such that the 
algorithm outputs 1 in step 4. In this case x' is the required solution to the CDHP( g (ji) instance. 
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Case 3. [a = b (mod p) A a ^ b (mod q)]: (or gcd(a — b,n) > 1 and a b) 

The probability of a randomly picked pair (x, y) £ G\ x Z* 2 such that gcd(a — 6, n) > 1 and 
is P+ pq 2 which can be neglected for large p, q. On the other hand, if the adversary (O*) knows in 
advance that gcd(a — b, n) > 1 but does not know both of {a, 6}, then the adversary knows that 
the distribution of the image 

f 1 (u 1 ,v 1 ,w 1 ) = (g a \ ^n"mod n 2 ) 

always satisfies a\ = b\ (mod p). In this case, our security relies on the adversary's inability to 
distinguish elements of this distribution from randomly chosen elements of G\ x Z* 2 assuming 
the hardness of DECP^^g^). Under this assumption, we can use the adversary O* to solve 
CDHP( ff Gl ) as in the previous case. The case of [a ^ b (mod p) A a = b (mod q)] is handled 
similarly. 

Thus, we have proved that the algorithm is sound under the assumption that the problems DECP( f , n ,g,G\) 
and CDHP( ff are intractable. □ 



B Identity Based Encryption Using O-SAOWFs 

In this section we give (without a security proof) an Identity Based Encryption (IBE) scheme as another 
application of our O-SAOWFs. We refer the reader to for the definitions of an IBE scheme and to 
section l4~4l for the notation used here. In summary, out IBE scheme has four PPT algorithms Setup-IBE, 
KeyGen, ID-Encrypt and ID-Decrypt. The definition of "PPT" has the usual caveat; oracles are considered 
as algorithms. 

1. The Setup-IBE algorithm takes as input some security parameter. It outputs the IBE system 
parameters par and the IBE master key m-key. 

2. The KeyGen algorithm takes as input the value par, m-key and a random string i. It outputs the 
private key prv-key i corresponding to the string i. 

3. The ID-Encrypt algorithm takes as input par, a random message to and a random string i. It outputs 
a ciphertext c. 

4. The ID-Decrypt algorithm takes as input par, a private key prv-key, (corresponding to some string 
i) and ciphertext c. It outputs a message to. 

The ID-Encrypt and ID-Decrypt algorithms satisfy the standard consistency constraint: 

Vra Vi ID-Decrypt(par, ID-Encrypt(par, to, i), KeyGen(par, m-key, i)) = rn 

In an IBE scheme, the master key m-key is known only to a trusted authority known as the Key 
Generating Center (KGC) that is responsible for distributing private keys. In our construction although 
the oracle O is required for computation, it need not be the Key Generating Center (KGC). The four 
algorithms are described below. 

1. Setup-IBE: Set {X, ax), (Y, ay) ^- Sample(params) and set Z <— T(ax,l,Y) = X*Y. Finally set 
par <— (Y, Z) G G 2 ; m-key <— (ax, ay) 6 Z* 2 and output (par, m-key). 

2. KeyGen: Let i 6 N be the input string. Set prv-key.^ *— T(ax, —i, Y) = X~ l * Y G G and output 
prv-key. 

3. ID-Encrypt: Our message space is {0, l} k where k < logi(n) and we require a cryptographic hash 
function TL : G t— * {0, l} k . To encrypt a message to G {0, l} k using input string i G N, first generate 

random (R,a^) Sample(params). Then compute 

c\ — in H(T(a R , 1, £{Y, i + 1))) = to © H(Y l+1 * R) 



33 



C 2 = T(a R , 1, £ (Z, i)) = Z i *R = X l *Y l *R 

The ciphertext is (ci, C-i). 

Both ci and C2 can be directly computed if Y l+1 and Z l are precomputed. 
4. ID-Decrypt: To decrypt arbitrary ciphertext (01,62) compute 

m = ci © H(3{C 2 , prv-key 4 )) = ci © H(C 2 * X~ l * F) 
Decryption is correct, because for a legitimate ciphertext: 

C 2 * * Y = {X 1 * * iJ) ★ (X~ l *Y) = Y l+1 * R 
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